webrick 1.8.1 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a401983074ecea6a30f8227ed888b735b3cdceadde14a7030b391cc45f948c2c
-  data.tar.gz: d40f18576cb9c335439796b1cdd92c7faf515ef944deb53c517fdf8c8390a79a
+  metadata.gz: 706b97607998e5b9d2a966fd09af6f7fa6a5b40f2df22977b111e5afa2bbc0f6
+  data.tar.gz: e4376566540a86f896f31b61ed924d69f0fb415fe491273b0365169c16663ef7
 SHA512:
-  metadata.gz: 1e5edb6d6798b75aafd9d16787f910e7a4beaf5cb7762af1c9f5add5725b037547bd875e9df8bc1f9ca18bcd3fa5839d25a566891f64cd55b9f145e8735e02b2
-  data.tar.gz: 7d3ffd0d2db521ca3ee6cdb3d8a7e448037d9694ceae62737b71d887e8089902ee71a2b334970dabad2767085b771c315a968993f6df83429f8f957d40ae72a8
+  metadata.gz: d4321cb073b84fc0e32211b4fa1510520ec396a62b3165761638e84471a1e56915f751d46aceae6ac8d13aafd09b9066a05928a5b76abf3c82bc8501e74a9029
+  data.tar.gz: 9f66a53d89839da69abb3afd75a48f746e4023f888db3afd404a903bebde1f878318f08dff470e3006e1fa0637185f9f5bdc9e59c627f162e3664a482b149d06

data/Gemfile

@@ -4,3 +4,7 @@ gemspec
 
 gem "rake"
 gem "test-unit"
+gem "test-unit-ruby-core"
+
+# rbs requires ruby 3.0+
+gem "rbs", require: false if !RUBY_VERSION.start_with?('2.')

data/README.md

@@ -10,6 +10,8 @@ A WEBrick server can be composed of multiple WEBrick servers or servlets to prov
 
 WEBrick also includes tools for daemonizing a process and starting a process at a higher privilege level and dropping permissions.
 
+WEBrick is suitable for use in testing and for development.  However, while the developers of WEBrick will attempt to fix security issues, they do not encourage the use of WEBrick to serve production web applications that may be subject to hostile input.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/Rakefile

@@ -7,11 +7,4 @@ Rake::TestTask.new(:test) do |t|
   t.test_files = FileList["test/**/test_*.rb"]
 end
 
-task :sync_tool do
-  require 'fileutils'
-  FileUtils.cp "../ruby/tool/lib/core_assertions.rb", "./test/lib"
-  FileUtils.cp "../ruby/tool/lib/envutil.rb", "./test/lib"
-  FileUtils.cp "../ruby/tool/lib/find_executable.rb", "./test/lib"
-end
-
 task :default => :test

data/lib/webrick/httprequest.rb

@@ -318,7 +318,7 @@ module WEBrick
     def [](header_name)
       if @header
         value = @header[header_name.downcase]
-        value.empty? ? nil : value.join(", ")
+        value.empty? ? nil : value.join
       end
     end
 
@@ -329,7 +329,7 @@ module WEBrick
       if @header
         @header.each{|k, v|
           value = @header[k]
-          yield(k, value.empty? ? nil : value.join(", "))
+          yield(k, value.empty? ? nil : value.join)
         }
       end
     end
@@ -402,7 +402,7 @@ module WEBrick
     # This method provides the metavariables defined by the revision 3
     # of "The WWW Common Gateway Interface Version 1.1"
     # To browse the current document of CGI Version 1.1, see below:
-    # http://tools.ietf.org/html/rfc3875
+    # https://www.rfc-editor.org/rfc/rfc3875
 
     def meta_vars
       meta = Hash.new
@@ -458,7 +458,7 @@ module WEBrick
       end
 
       @request_time = Time.now
-      if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line
+      if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line
         @request_method = $1
         @unparsed_uri   = $2
         @http_version   = HTTPVersion.new($3 ? $3 : "0.9")
@@ -470,15 +470,34 @@ module WEBrick
 
     def read_header(socket)
       if socket
+        end_of_headers = false
+
         while line = read_line(socket)
-          break if /\A(#{CRLF}|#{LF})\z/om =~ line
+          if line == CRLF
+            end_of_headers = true
+            break
+          end
           if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH
             raise HTTPStatus::RequestEntityTooLarge, 'headers too large'
           end
+          if line.include?("\x00")
+            raise HTTPStatus::BadRequest, 'null byte in header'
+          end
           @raw_header << line
         end
+
+        # Allow if @header already set to support chunked trailers
+        raise HTTPStatus::EOFError unless end_of_headers || @header
       end
       @header = HTTPUtils::parse_header(@raw_header.join)
+
+      if (content_length = @header['content-length']) && content_length.length != 0
+        if content_length.length > 1
+          raise HTTPStatus::BadRequest, "multiple content-length request headers"
+        elsif !/\A\d+\z/.match?(content_length[0])
+          raise HTTPStatus::BadRequest, "invalid content-length request header"
+        end
+      end
     end
 
     def parse_uri(str, scheme="http")
@@ -503,14 +522,19 @@ module WEBrick
       return URI::parse(uri.to_s)
     end
 
+    host_pattern = URI::RFC2396_Parser.new.pattern.fetch(:HOST)
+    HOST_PATTERN = /\A(#{host_pattern})(?::(\d+))?\z/n
     def parse_host_request_line(host)
-      pattern = /\A(#{URI::REGEXP::PATTERN::HOST})(?::(\d+))?\z/no
-      host.scan(pattern)[0]
+      host.scan(HOST_PATTERN)[0]
     end
 
     def read_body(socket, block)
       return unless socket
       if tc = self['transfer-encoding']
+        if self['content-length']
+          raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
+        end
+
         case tc
         when /\Achunked\z/io then read_chunked(socket, block)
         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
@@ -534,7 +558,7 @@ module WEBrick
 
     def read_chunk_size(socket)
       line = read_line(socket)
-      if /^([0-9a-fA-F]+)(?:;(\S+))?/ =~ line
+      if /\A([0-9a-fA-F]+)(?:;(\S+(?:=\S+)?))?\r\n\z/ =~ line
         chunk_size = $1.hex
         chunk_ext = $2
         [ chunk_size, chunk_ext ]
@@ -555,7 +579,11 @@ module WEBrick
           block.call(data)
         end while (chunk_size -= sz) > 0
 
-        read_line(socket)                    # skip CRLF
+        line = read_line(socket)              # skip CRLF
+        unless line == "\r\n"
+          raise HTTPStatus::BadRequest, "extra data after chunk `#{line}'."
+        end
+
         chunk_size, = read_chunk_size(socket)
       end
       read_header(socket)                    # trailer + CRLF

data/lib/webrick/httputils.rb

@@ -55,7 +55,6 @@ module WEBrick
       "cer"   => "application/pkix-cert",
       "crl"   => "application/pkix-crl",
       "crt"   => "application/x-x509-ca-cert",
-     #"crl"   => "application/x-pkcs7-crl",
       "css"   => "text/css",
       "dms"   => "application/octet-stream",
       "doc"   => "application/msword",
@@ -153,28 +152,49 @@ module WEBrick
     # Parses an HTTP header +raw+ into a hash of header fields with an Array
     # of values.
 
+    class SplitHeader < Array
+      def join(separator = ", ")
+        super
+      end
+    end
+
+    class CookieHeader < Array
+      def join(separator = "; ")
+        super
+      end
+    end
+
+    HEADER_CLASSES = Hash.new(SplitHeader).update({
+      "cookie" => CookieHeader,
+    })
+
     def parse_header(raw)
       header = Hash.new([].freeze)
       field = nil
       raw.each_line{|line|
         case line
-        when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om
+        when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om
           field, value = $1, $2
           field.downcase!
-          header[field] = [] unless header.has_key?(field)
+          header[field] = HEADER_CLASSES[field].new unless header.has_key?(field)
           header[field] << value
-        when /^\s+(.*?)\s*\z/om
-          value = $1
+        when /^[ \t]+([^\r\n\0]*?)\r\n/om
           unless field
             raise HTTPStatus::BadRequest, "bad header '#{line}'."
           end
+          value = line
+          value.gsub!(/\A[ \t]+/, '')
+          value.slice!(-2..-1)
           header[field][-1] << " " << value
         else
           raise HTTPStatus::BadRequest, "bad header '#{line}'."
         end
       }
       header.each{|key, values|
-        values.each(&:strip!)
+        values.each{|value|
+          value.gsub!(/\A[ \t]+/, '')
+          value.gsub!(/[ \t]+\z/, '')
+        }
       }
       header
     end
@@ -184,8 +204,8 @@ module WEBrick
     # Splits a header value +str+ according to HTTP specification.
 
     def split_header_value(str)
-      str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]+)+)
-                    (?:,\s*|\Z)'xn).flatten
+      str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]++)+)
+                    (?:,[ \t]*|\Z)'xn).flatten
     end
     module_function :split_header_value
 
@@ -213,9 +233,9 @@ module WEBrick
     def parse_qvalues(value)
       tmp = []
       if value
-        parts = value.split(/,\s*/)
+        parts = value.split(/,[ \t]*/)
         parts.each {|part|
-          if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part)
+          if m = %r{^([^ \t,]+?)(?:;[ \t]*q=(\d+(?:\.\d+)?))?$}.match(part)
             val = m[1]
             q = (m[2] or 1).to_f
             tmp.push([val, q])
@@ -314,8 +334,8 @@ module WEBrick
         elsif str == CRLF
           @header = HTTPUtils::parse_header(@raw_header.join)
           if cd = self['content-disposition']
-            if /\s+name="(.*?)"/ =~ cd then @name = $1 end
-            if /\s+filename="(.*?)"/ =~ cd then @filename = $1 end
+            if /[ \t]+name="(.*?)"/ =~ cd then @name = $1 end
+            if /[ \t]+filename="(.*?)"/ =~ cd then @filename = $1 end
           end
         else
           @raw_header << str

data/lib/webrick/version.rb

@@ -14,5 +14,5 @@ module WEBrick
   ##
   # The WEBrick version
 
-  VERSION      = "1.8.1"
+  VERSION      = "1.9.0"
 end

data/sig/accesslog.rbs

@@ -0,0 +1,24 @@
+module WEBrick
+  module AccessLog
+    class AccessLogError < StandardError
+    end
+
+    CLF_TIME_FORMAT: String
+
+    COMMON_LOG_FORMAT: String
+
+    CLF: String
+
+    REFERER_LOG_FORMAT: String
+
+    AGENT_LOG_FORMAT: String
+
+    COMBINED_LOG_FORMAT: String
+
+    def self?.setup_params: (Hash[Symbol, untyped] config, HTTPRequest req, HTTPResponse res) -> Hash[String, untyped]
+
+    def self?.format: (String format_string, Hash[String, untyped] params) -> String
+
+    def self?.escape: (String data) -> String
+  end
+end

data/sig/cgi.rbs

@@ -0,0 +1,92 @@
+module WEBrick
+  class CGI
+    @options: Array[untyped]
+
+    class CGIError < StandardError
+    end
+
+    attr_reader config: Hash[Symbol, untyped]
+
+    attr_reader logger: BasicLog
+
+    def initialize: (*untyped args) -> void
+
+    def []: (Symbol key) -> untyped
+
+    interface _Env
+      def []: (String) -> String?
+    end
+
+    def start: (?_Env env, ?IO stdin, ?IO stdout) -> void
+
+    def self.setup_header: () -> untyped
+
+    def self.status_line: () -> ""
+
+    def service: (HTTPRequest req, HTTPResponse res) -> void
+
+    class Socket
+      @config: Hash[Symbol, untyped]
+
+      @env: _Env
+
+      @header_part: StringIO
+
+      @body_part: IO
+
+      @out_port: IO
+
+      @server_addr: String
+
+      @server_name: String?
+
+      @server_port: String?
+
+      @remote_addr: String?
+
+      @remote_host: String?
+
+      @remote_port: (String | 0)
+
+      include Enumerable[String]
+
+      private
+
+      def initialize: (Hash[Symbol, untyped] config, _Env env, IO stdin, IO stdout) -> void
+
+      def request_line: () -> String
+
+      def setup_header: () -> void
+
+      def add_header: (String hdrname, String value) -> void
+
+      def input: () -> (IO | StringIO)
+
+      public
+
+      def peeraddr: () -> [nil, (String | 0), String?, String?]
+
+      def addr: () -> [nil, String?, String?, String]
+
+      def gets: (?String eol, ?Integer? size) -> String?
+
+      def read: (?Integer? size) -> String?
+
+      def each: () { (String) -> void } -> void
+
+      def eof?: () -> bool
+
+      def <<: (_ToS data) -> IO
+
+      def write: (_ToS data) -> Integer
+
+      def cert: () -> OpenSSL::X509::Certificate?
+
+      def peer_cert: () -> OpenSSL::X509::Certificate?
+
+      def peer_cert_chain: () -> Array[OpenSSL::X509::Certificate]?
+
+      def cipher: () -> [String?, String?, String?, String?]?
+    end
+  end
+end

data/sig/compat.rbs

@@ -0,0 +1,18 @@
+#
+# System call error module used by webrick for cross platform compatibility.
+#
+# EPROTO:: protocol error
+# ECONNRESET:: remote host reset the connection request
+# ECONNABORTED:: Client sent TCP reset (RST) before server has accepted the
+#                connection requested by client.
+#
+module Errno
+  class EPROTO < SystemCallError
+  end
+
+  class ECONNRESET < SystemCallError
+  end
+
+  class ECONNABORTED < SystemCallError
+  end
+end

data/sig/config.rbs

@@ -0,0 +1,17 @@
+module WEBrick
+  module Config
+    LIBDIR: String
+
+    # for GenericServer
+    General: Hash[Symbol, untyped]
+
+    # for HTTPServer, HTTPRequest, HTTPResponse ...
+    HTTP: Hash[Symbol, untyped]
+
+    FileHandler: Hash[Symbol, untyped]
+
+    BasicAuth: Hash[Symbol, untyped]
+
+    DigestAuth: Hash[Symbol, untyped]
+  end
+end

data/sig/cookie.rbs

@@ -0,0 +1,37 @@
+module WEBrick
+  class Cookie
+    @expires: String?
+
+    attr_reader name: String?
+
+    attr_accessor value: String?
+
+    attr_accessor version: Integer
+
+    #
+    # The cookie domain
+    attr_accessor domain: String?
+
+    attr_accessor path: String?
+
+    attr_accessor secure: true?
+
+    attr_accessor comment: String?
+
+    attr_accessor max_age: Integer?
+
+    def initialize: (untyped name, untyped value) -> void
+
+    def expires=: ((Time | _ToS)? t) -> untyped
+
+    def expires: () -> Time?
+
+    def to_s: () -> String
+
+    def self.parse: (String? str) -> Array[instance]?
+
+    def self.parse_set_cookie: (String str) -> instance
+
+    def self.parse_set_cookies: (String str) -> Array[instance]
+  end
+end

data/sig/htmlutils.rbs

@@ -0,0 +1,5 @@
+module WEBrick
+  module HTMLUtils
+    def self?.escape: (String? string) -> String
+  end
+end

data/sig/httpauth/authenticator.rbs

@@ -0,0 +1,55 @@
+module WEBrick
+  module HTTPAuth
+    module Authenticator
+      @reload_db: bool?
+
+      @request_field: String
+
+      @response_field: String
+
+      @resp_info_field: String
+
+      @auth_exception: singleton(HTTPStatus::ClientError)
+
+      @auth_scheme: String
+
+      RequestField: String
+
+      ResponseField: String
+
+      ResponseInfoField: String
+
+      AuthException: singleton(HTTPStatus::ClientError)
+
+      AuthScheme: String?
+
+      attr_reader realm: String?
+
+      attr_reader userdb: UserDB
+
+      attr_reader logger: Log
+
+      private
+
+      def check_init: (Hash[Symbol, untyped] config) -> void
+
+      def check_scheme: (HTTPRequest req) -> String?
+
+      def log: (interned meth, String fmt, *untyped args) -> void
+
+      def error: (String fmt, *untyped args) -> void
+
+      def info: (String fmt, *untyped args) -> void
+    end
+
+    module ProxyAuthenticator
+      RequestField: String
+
+      ResponseField: String
+
+      InfoField: String
+
+      AuthException: singleton(HTTPStatus::ClientError)
+    end
+  end
+end

data/sig/httpauth/basicauth.rbs

@@ -0,0 +1,29 @@
+module WEBrick
+  module HTTPAuth
+    class BasicAuth
+      @config: Hash[Symbol, untyped]
+
+      include Authenticator
+
+      AuthScheme: String
+
+      def self.make_passwd: (String? realm, String? user, String? pass) -> String
+
+      attr_reader realm: String?
+
+      attr_reader userdb: UserDB
+
+      attr_reader logger: Log
+
+      def initialize: (Hash[Symbol, untyped] config, ?Hash[Symbol, untyped] default) -> void
+
+      def authenticate: (HTTPRequest req, HTTPResponse res) -> void
+
+      def challenge: (HTTPRequest req, HTTPResponse res) -> bot
+    end
+
+    class ProxyBasicAuth < BasicAuth
+      include ProxyAuthenticator
+    end
+  end
+end

data/sig/httpauth/digestauth.rbs

@@ -0,0 +1,85 @@
+module WEBrick
+  module HTTPAuth
+    class DigestAuth
+      @config: Hash[Symbol, untyped]
+
+      @domain: Array[String]?
+
+      @use_opaque: bool
+
+      @use_next_nonce: bool
+
+      @check_nc: bool
+
+      @use_auth_info_header: bool
+
+      @nonce_expire_period: Integer
+
+      @nonce_expire_delta: Integer
+
+      @internet_explorer_hack: bool
+
+      @h: singleton(Digest::Base)
+
+      @instance_key: String
+
+      @opaques: Hash[String, OpaqueInfo]
+
+      @last_nonce_expire: Time
+
+      @mutex: Thread::Mutex
+
+      include Authenticator
+
+      AuthScheme: String
+
+      class OpaqueInfo < Struct[untyped]
+        attr_accessor time(): Time
+        attr_accessor nonce(): String?
+        attr_accessor nc(): String
+      end
+
+      attr_reader algorithm: String?
+
+      attr_reader qop: Array[String]
+
+      def self.make_passwd: (String realm, String user, String pass) -> untyped
+
+      def initialize: (Hash[Symbol, untyped] config, ?Hash[Symbol, untyped] default) -> void
+
+      def authenticate: (HTTPRequest req, HTTPResponse res) -> void
+
+      def challenge: (HTTPRequest req, HTTPResponse res, ?bool stale) -> bot
+
+      private
+
+      MustParams: Array[String]
+
+      MustParamsAuth: Array[String]
+
+      def _authenticate: (HTTPRequest req, HTTPResponse res) -> (:nonce_is_stale | bool)
+
+      def split_param_value: (String string) -> Hash[String, String]
+
+      def generate_next_nonce: (HTTPRequest req) -> String
+
+      def check_nonce: (HTTPRequest req, Hash[String, String] auth_req) -> bool
+
+      def generate_opaque: (HTTPRequest req) -> String
+
+      def check_opaque: (OpaqueInfo opaque_struct, untyped req, Hash[String, String] auth_req) -> bool
+
+      def check_uri: (HTTPRequest req, Hash[String, String] auth_req) -> bool
+
+      def hexdigest: (*_ToS? args) -> String
+    end
+
+    class ProxyDigestAuth < DigestAuth
+      include ProxyAuthenticator
+
+      private
+
+      def check_uri: (HTTPRequest req, Hash[String, String] auth_req) -> true
+    end
+  end
+end

data/sig/httpauth/htdigest.rbs

@@ -0,0 +1,31 @@
+module WEBrick
+  module HTTPAuth
+    class Htdigest
+      @path: String
+
+      @mtime: Time
+
+      @digest: Hash[String, Hash[String, String]]
+
+      @mutex: Thread::Mutex
+
+      @auth_type: String
+
+      include UserDB
+
+      def initialize: (String path) -> void
+
+      def reload: () -> void
+
+      def flush: (?String? output) -> void
+
+      def get_passwd: (String realm, String user, bool reload_db) -> String?
+
+      def set_passwd: (String realm, String user, String pass) -> String
+
+      def delete_passwd: (String realm, String user) -> String?
+
+      def each: () { (String user, String realm, String password_hash) -> void } -> void
+    end
+  end
+end

data/sig/httpauth/htgroup.rbs

@@ -0,0 +1,21 @@
+module WEBrick
+  module HTTPAuth
+    class Htgroup
+      @path: String
+
+      @mtime: Time
+
+      @group: Hash[String, Array[String]]
+
+      def initialize: (String path) -> void
+
+      def reload: () -> void
+
+      def flush: (?String? output) -> void
+
+      def members: (String group) -> Array[String]
+
+      def add: (String group, Array[String] members) -> void
+    end
+  end
+end